CWE-601— URL Redirection to Untrusted Site (Open Redirect)
1,356 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-601page 5 of 28
- CVE-2019-19613MEDIUMCVSS 5.2EG 5.22020-03-16
An issue was discovered in Halvotec RaQuest 10.23.10801.0. The login page of the admin application is vulnerable to an Open Redirect attack allowing an attacker to redirect a user to a malicious site after authentication. The attacker need…
- CVE-2019-19703MEDIUMCVSS 6.1EG 6.12019-12-10
In Ktor through 1.2.6, the client resends data from the HTTP Authorization header to a redirect location.
- CVE-2019-19709MEDIUMCVSS 6.1EG 6.12019-12-11
MediaWiki through 1.33.1 allows attackers to bypass the Title_blacklist protection mechanism by starting with an arbitrary title, establishing a non-resolvable redirect for the associated page, and using redirect=1 in the action API when e…
- CVE-2019-19758MEDIUMCVSS 6.1EG 6.12020-02-14
A vulnerability in the web interface of Lenovo EZ Media & Backup Center, ix2 & ix2-dl version 4.1.406.34763 and prior could allow an unauthenticated, remote attacker to redirect a user to an untrusted web page.
- CVE-2019-19775MEDIUMCVSS 6.1EG 6.12019-12-18
The image thumbnailing handler in Zulip Server versions 1.9.0 to before 2.0.8 allowed an open redirect that was visible to logged-in users.
- CVE-2019-20225MEDIUMCVSS 6.1EG 6.12020-01-02
MyBB before 1.8.22 allows an open redirect on login.
- CVE-2019-20479MEDIUMCVSS 6.1EG 6.12020-02-20
A flaw was found in mod_auth_openidc before version 2.4.1. An open redirect issue exists in URLs with a slash and backslash at the beginning.
- CVE-2019-20901MEDIUMCVSS 6.1EG 6.12020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redire…
- CVE-2019-25155MEDIUMCVSS 6.1EG 6.12023-11-07
DOMPurify before 1.0.11 allows reverse tabnabbing in demos/hooks-target-blank-demo.html because links lack a 'rel="noopener noreferrer"' attribute.
- CVE-2019-25282CRITICALCVSS 9.8EG 9.82026-01-08
V-SOL GPON/EPON OLT Platform v2.03 contains an open redirect vulnerability in the script that allows attackers to manipulate the 'parent' GET parameter. Attackers can craft malicious links that redirect logged-in users to arbitrary website…
- CVE-2019-3477MEDIUMCVSS 6.1EG 6.12019-06-07
Micro Focus Solution Business Manager versions prior to 11.4.2 is susceptible to open redirect.
- CVE-2019-3778MEDIUMCVSS 6.5EG 6.52019-03-07
Spring Security OAuth, versions 2.3 prior to 2.3.5, and 2.2 prior to 2.2.4, and 2.1 prior to 2.1.4, and 2.0 prior to 2.0.17, and older unsupported versions could be susceptible to an open redirector attack that can leak an authorization co…
- CVE-2019-3788HIGHCVSS 8.7EG 6.12019-04-25
Cloud Foundry UAA Release, versions prior to 71.0, allows clients to be configured with an insecure redirect uri. Given a UAA client was configured with a wildcard in the redirect uri's subdomain, a remote malicious unauthenticated user ca…
- CVE-2019-3850MEDIUMCVSS 4.3EG 4.32019-03-26
A vulnerability was found in moodle before versions 3.6.3, 3.5.5, 3.4.8 and 3.1.17. Links within assignment submission comments would open directly (in the same window). Although links themselves may be valid, opening within the same windo…
- CVE-2019-3877MEDIUMCVSS 5.8EG 6.12019-03-27
A vulnerability was found in mod_auth_mellon before v0.14.2. An open redirect in the logout URL allows requests with backslashes to pass through by assuming that it is a relative URL, while the browsers silently convert backslash character…
- CVE-2019-3912MEDIUMCVSS 6.1EG 6.12019-01-30
An open redirect vulnerability in LabKey Server Community Edition before 18.3.0-61806.763 via the /__r1/ returnURL parameter allows an unauthenticated remote attacker to redirect users to arbitrary web sites.
- CVE-2019-4035MEDIUMCVSS 5.4EG 5.42019-03-22
IBM Content Navigator 3.0CD could allow attackers to direct web traffic to a malicious site. If attackers make a fake IBM Content Navigator site, they can send a link to ICN users to send request to their Edit client directly. Then Edit cl…
- CVE-2019-4092MEDIUMCVSS 6.1EG 6.12019-04-25
IBM Content Navigator 2.0.3 and 3.0CD could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerabilit…
- CVE-2019-4153MEDIUMCVSS 6.8EG 6.82019-06-25
IBM Security Access Manager 9.0.1 through 9.0.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vu…
- CVE-2019-4166MEDIUMCVSS 6.1EG 6.12019-04-30
IBM StoredIQ 7.6 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL di…
- CVE-2019-4201MEDIUMCVSS 6.1EG 6.12019-06-06
IBM Jazz for Service Management 1.1.3, 1.1.3.1, and 1.1.3.2 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exp…
- CVE-2019-4209MEDIUMCVSS 6.1EG 6.12020-05-01
HCL Connections v5.5, v6.0, and v6.5 contains an open redirect vulnerability which could be exploited by an attacker to conduct phishing attacks.
- CVE-2019-4538HIGHCVSS 8.2EG 8.22019-10-02
IBM Security Directory Server 6.4.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability …
- CVE-2019-4595MEDIUMCVSS 6.1EG 6.12020-02-24
IBM Sterling B2B Integrator Standard Edition 5.2.0.0 through 5.2.6.5 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker …
- CVE-2019-4631MEDIUMCVSS 6.1EG 6.12020-01-28
IBM Security Secret Server 10.7 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to s…
- CVE-2019-5433MEDIUMCVSS 5.4EG 5.42019-05-06
A user having access to the UI of a Revive Adserver instance could be tricked into clicking on a specifically crafted admin account-switch.php URL that would eventually lead them to another (unsafe) domain, potentially used for stealing cr…
- CVE-2019-5823MEDIUMCVSS 5.4EG 5.42019-06-27
Insufficient policy enforcement in service workers in Google Chrome prior to 74.0.3729.108 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.
- CVE-2019-5915MEDIUMCVSS 6.1EG 6.12019-02-13
Open redirect vulnerability in OpenAM (Open Source Edition) 13.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page.
- CVE-2019-5946MEDIUMCVSS 6.1EG 6.12019-05-17
Open redirect vulnerability in Cybozu Garoon 4.2.4 to 4.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the Login Screen.
- CVE-2019-5965MEDIUMCVSS 6.1EG 6.12019-07-05
Open redirect vulnerability in Joruri Mail 2.1.4 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- CVE-2019-5969MEDIUMCVSS 6.1EG 6.12019-07-05
Open redirect vulnerability in GROWI v3.4.6 and earlier allows remote attackersto redirect users to arbitrary web sites and conduct phishing attacks via the process of login.
- CVE-2019-5978MEDIUMCVSS 6.1EG 6.12019-09-12
Open redirect vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the application 'Scheduler'.
- CVE-2019-6004MEDIUMCVSS 6.1EG 6.12019-09-12
Open redirect vulnerability in ApeosWare Management Suite Ver.1.4.0.18 and earlier, and ApeosWare Management Suite 2 Ver.2.1.2.4 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via u…
- CVE-2019-6009MEDIUMCVSS 6.1EG 6.12019-09-12
Open redirect vulnerability in SHIRASAGI v1.7.0 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
- CVE-2019-6020MEDIUMCVSS 6.1EG 6.12019-12-26
Open redirect vulnerability in PowerCMS 5.12 and earlier (PowerCMS 5.x), 4.42 and earlier (PowerCMS 4.x), and 3.293 and earlier (PowerCMS 3.x) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks vi…
- CVE-2019-6021MEDIUMCVSS 6.1EG 6.12019-12-26
Open redirect vulnerability in Library Information Management System LIMEDIO all versions allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted URL.
- CVE-2019-6025MEDIUMCVSS 6.1EG 6.12019-12-26
Open redirect vulnerability in Movable Type series Movable Type 7 r.4602 (7.1.3) and earlier (Movable Type 7), Movable Type 6.5.0 and 6.5.1 (Movable Type 6.5), Movable Type 6.3.9 and earlier (Movable Type 6.3.x, 6.2.x, 6.1.x, 6.0.x), Movab…
- CVE-2019-6035MEDIUMCVSS 6.1EG 6.12019-12-26
Open redirect vulnerability in Athenz v1.8.24 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a specially crafted page.
- CVE-2019-6696MEDIUMCVSS 6.1EG 6.12020-03-15
An improper input validation vulnerability in FortiOS 6.2.1, 6.2.0, 6.0.8 and below until 5.4.0 under admin webUI may allow an attacker to perform an URL redirect attack via a specifically crafted request to the admin initial password chan…
- CVE-2019-6741CRITICALCVSS 9.3EG 9.32019-06-03
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Samsung Galaxy S9 prior to January 2019 Security Update (SMR-JAN-2019 - SVE-2018-13467). User interaction is required to exploit this vulne…
- CVE-2019-6780MEDIUMCVSS 6.1EG 6.12019-01-24
The Wise Chat plugin before 2.7 for WordPress mishandles external links because rendering/filters/post/WiseChatLinksPostFilter.php omits noopener and noreferrer.
- CVE-2019-6781HIGHCVSS 7.5EG 7.52019-05-17
An Improper Input Validation issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It was possible to use the profile name to inject a potentially malicious link into…
- CVE-2019-7275MEDIUMCVSS 6.1EG 6.12019-07-01
Optergy Proton/Enterprise devices allow Open Redirect.
- CVE-2019-7416MEDIUMCVSS 6.1EG 6.12019-03-21
XSS and/or a Client Side URL Redirect exists in OpenText Documentum Webtop 5.3 SP2. The parameter startat in "/webtop/help/en/default.htm" is vulnerable.
- CVE-2019-8791MEDIUMCVSS 6.1EG 6.12019-12-18
An issue existed in the parsing of URL schemes. This issue was addressed with improved URL validation. This issue is fixed in Shazam Android App Version 9.25.0, Shazam iOS App Version 12.11.0. Processing a maliciously crafted URL may lead …
- CVE-2019-8951MEDIUMCVSS 6.1EG 6.12019-05-13
An Open Redirect vulnerability located in the webserver affects several Bosch hardware and software products. The vulnerability potentially allows a remote attacker to redirect users to an arbitrary URL. Affected hardware products: Bosch D…
- CVE-2019-8995MEDIUMCVSS 6.1EG 6.12019-04-24
The workspace client, openspace client, and app development client of TIBCO Software Inc.'s TIBCO ActiveMatrix BPM, TIBCO ActiveMatrix BPM Distribution for TIBCO Silver Fabric, and TIBCO Silver Fabric Enabler for ActiveMatrix BPM contain a…
- CVE-2019-9140HIGHCVSS 8.1EG 8.12019-08-01
When processing Deeplink scheme, Happypoint mobile app 6.3.19 and earlier versions doesn't check Deeplink URL correctly. This could lead to javascript code execution, url redirection, sensitive information disclosure. An attacker can explo…
- CVE-2019-9837MEDIUMCVSS 6.1EG 6.12019-03-21
Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in an OAuth authorization request (that results in an error response) with the 'openid…
- CVE-2019-9915MEDIUMCVSS 6.1EG 6.12019-03-22
GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.
Map vulnerabilities like CWE-601 to your infrastructure
EchelonGraph correlates every CVE — across CWE-601 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →